Tor vs Shields Up

Discussion in 'privacy problems' started by Liquidslam, Oct 16, 2006.

Thread Status:
Not open for further replies.
  1. Liquidslam

    Liquidslam Registered Member

    Joined:
    Apr 1, 2005
    Posts:
    15
    Hi,
    For sometime I have been using what I call the triple bypass: Tor-Privoxy-Prixomitron. I configured it using Kye-U's page on his Proxomitron site. I periodically test it's effectiveness by clicking on various IP testing sites like privacy.net, whatismyip, etc and my IP has never been discovered- until yesterday. That's when I decided to test my anonomity with Shields Up. It took them about 6 seconds to nail me. First I made sure everything was up and running and then tested it again on the two IP check sites mentioned above plus a couple of others and on all of them I was cloaked. Then I retested with Shields Up and was nailed again. Now I know I must be doing something wrong and would be really grateful if somebody would point me in the right direction.
    For the record I am using the latest Firefox with all Java disabled, the NoScript addon and all cookies session only.
     
  2. ThunderZ

    ThunderZ Registered Member

    Joined:
    May 1, 2006
    Posts:
    2,459
    Location:
    North central Ohio, U.S.A.
    Not sure if this pertains to the Shields-up site or not. Do not run any IP masking services :cool: so I can not test it. However there is a little trick, based on a java applet that will show you and only you your PC`s IP. :blink: Do not know if this is the case for Shields-up or not. You may be able to disable java in FF to test this. :rolleyes: Hopefully someone else will come along to either verify or debunk my statment.
    Edited:Just reread your post and see that java is already disabled. :oops: We`ll now have to wait for someone else to come along. :blink:
     
  3. Climenole

    Climenole Look 'n' Stop Expert

    Joined:
    Jun 3, 2005
    Posts:
    1,640
    Hi Liquidslam :)

    If you check with Shields Up with Tor running as a client only or as a client+server
    and Firefox + the correct proxy setup for Tor,
    the Shield Up test see the Ip address of the exit node you're using not your IP.

    Since this Tor exit node is used as a server it's absolutly normal to have some ports open like 9001... A server cannot be stealth because there is at least one port listening for incomming connections ... This is the definition of a server: any machine in a network listening on at least one port for an incomming connection...

    If you check again but this time with Firefox without proxy setup (say a "direct internet connection") you have the following results:

    If you're running Tor as a server your server ports are open and your PC is not stealth

    If you're running Tor as a client only this time your PC is stealth...

    Briefly said:

    Firefox + direct connection + Tor as client or no Tor = PC normally stealth for your IP
    Firefox + proxy connection + Tor as client only = Not stealth (exit node ip...)
    Firefox + proxy connection + Tor as server = Not steath (exit node ip...)
    Firefox + direct connection + Tor as server = Not Stealth (you're running a server on your IP...)

    Last remark:

    Without Tor running (client or server) your PC must be stealth. If not There is somethings wrong with your firewall setting. Check this first.

    With Tor running as server and a direct connection to the Shields Up test must show your Tor server port(s) only.
    If not, there is a problem with your firewall rules for Tor...

    The only open ports must be the following:

    9001: the Tor server listening port for Tor incomming connections

    and optionnaly

    9030 mirror server directory port...


    :)
     
    Last edited: Oct 16, 2006
  4. Climenole

    Climenole Look 'n' Stop Expert

    Joined:
    Jun 3, 2005
    Posts:
    1,640
    Hi ThunderZ :)

    Hello ! I guess there is some confusion between Java and Javascript... ;)

    Java is a product of Sun Microsystems ... There is few security problem with this.
    Javascript is a programming language used for application and often web application.
    There is a security problems with this and the best is, as you know, to disable it except for good web sites
    (with NoScript in Ff).

    Both are not related to the Shield Up tests results (as far as I know.)
    This test send TCP packets with the flag SYN to differents ports.
    Depending of the answer (or no answer) the port are declared:
    blocked, closed or steath (no answer..).

    This is not related to Java or Javascript enabled or not in your browser...

    The Shields Up tests are for TCP (transport layer of the TCP-IP stack) not HTTP , an application layer protocol.

    See this:
    http://en.wikipedia.org/wiki/TCP-IP

    For the HTTP layer you may test your Browser security there:
    http://gemal.dk/browserspy/

    :)
     
  5. ThunderZ

    ThunderZ Registered Member

    Joined:
    May 1, 2006
    Posts:
    2,459
    Location:
    North central Ohio, U.S.A.

    :thumb: Thanks for the clarification. Not being a programer it is about as clear as mud...:blink: But at least hopefully the OP got his question answered and I learned something I may remember for future reference. :D
     
  6. Liquidslam

    Liquidslam Registered Member

    Joined:
    Apr 1, 2005
    Posts:
    15
    Thanks, guys for your replies. Sorry I didn't get back to you sooner.
    Yours, Climenole, demands a little bit more input on my part and feedback from you before I'm 100% sure I've got it right.

    First of all let me state that 1: I am running Tor as a client and not as a server. 2: I am using Zone Alarm pro and have just run a port probing test with Shields Up. It confirms that all service ports from 0 to 1066 are stealthed.
    My confusion lies in the fact that that is exactly what I thought I was doing. Else why would all the other sites find only my exit node? By "direct internet connection" are you saying that I should drop both the Proxomitron and Privoxy and only run Tor?
    Believe me I'm not being deliberatly obtuse here but I'm still pretty much of a newbie when it comes to manipulating proxys.

    It just occurred to me that sometime back I tried this same test with Shields Up with the same triple bypass configuration and on that occasion my IP was cloaked. The only change since then is that I am now behind a router/gateway with it's own firewall.
    Could this be a factor?
    Thanks again.
     
  7. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Liquidslam,

    Your problem is most likely due to not having https filtering set up in Proxomitron - this would result in https traffic being sent directly (not using Tor) and since ShieldsUp uses https (to bypass normal proxies) it would then detect your "real" IP.

    The Dangers of HTTPS thread gives more information on how to set up https filtering with Proxomitron (plus a few reasons on why it is desireable).
     
  8. Climenole

    Climenole Look 'n' Stop Expert

    Joined:
    Jun 3, 2005
    Posts:
    1,640
    Hi Liquidslam :)

    So there is no problem apparently ... ;)


    I guess my explanation give you more confusion that understanding. Sorry for this.
    English is not my native language and my sentences are sometimes "stranges"
    with full of gallicism and weird usage of english grammar and irregular verbs... ;)

    Let me quote myself:
    «
    Firefox + direct connection + Tor as client or no Tor = PC normally stealth for your IP
    Firefox + proxy connection + Tor as client only = Not stealth (exit node ip...)
    »

    So your configuration is Firefox + proxy connection + Tor as client only ...

    But you say that Shields Up give you a Stealth result...

    When you start the Shields Up test it show you on which IP address the test will be performed.
    Did this address was your real IP OR the Tor exit node you're using at this moment?

    If the IP checked by Shields Up was your IP address:
    your configuration was at this moment: Firefox + direct connection + Tor as client or no Tor.

    This mean that Tor was not running or the setup of your browser was using a direct connection not a proxy connection like Tor + Privoxy (or Proxomitron) + Firefox + connection setup to use Tor.

    If you do this, for sure the result will be "Stealth" (if you have a firewall).

    But if you set your system like this:
    Firefox (with internet connections set to used Proxy) + proxy connection (with Privoxy or proxomitron) + Tor as client. the address shows at Shields Up test will be the IP address of the Tor node your using not your IP.

    Since your using a Tor exit node I supposed (may be I'm wrong) that this exit node is a Tor SERVER.

    If so it's impossible to have a Stealth result...
    I'm not only talking about the ports 0 to 1055 but all ports!
    (If you limit the test for the first 1056 ports it looks always stealth...)

    But if you check carefully for the port 9001 you'll see that port Open...
    This is normal: this is the Tor server port of your exit node ...

    Your PC is still stealth, the only Non-Stealth computer is the exit node computer...
    Don't worry about this please.


    I hope my previous explanations give you the answer...
    May be you run the Shields Up test only for the ports 0 to 1055.
    But the test must be done for all ports range after these first 1056 ports...
    (by "chunks" of 64 ports at the time..)

    Don't worry about this.
    By asking question you prove you're not a newbie and you'll be more skilled with these problems soon.

    Ha! ha! Somethings new! For sure a router may change the results depending on how it's configured...
    How the router react to the Shields Up tests ? This is an interesting question...

    You may check it that way:

    1- No Tor + Firewall + no router
    2- No Tor + no firewall + router

    And so on...

    Hope this help.

    :)
     
  9. Liquidslam

    Liquidslam Registered Member

    Joined:
    Apr 1, 2005
    Posts:
    15
    Thank you Paranoid, for that little gem. On the face of it yours would seem to be the most likely solution as it's the only one that would explain why only Shields Up grabs my real IP. Unfortunately implementing it didn't solve the problem.

    To answer your question, Climenole (by the way, is that just a name or does it mean something?) the IP checked by Shields Up was my own.

    If that were true than the other IP checking sites I clicked on both right before and after Shields Up would also have revealed my real IP. But as they didn't I know that the Proxomitron-Privoxy-Tor combination was intact and working. So the answer must be somewehere else. I am starting to think that the router might be the culprit. But as for trying your no router option, as mine is an all in one package: router/modum/gateway with DHCP, how can I shut off the router and still keep the internet connection?
    Thanks for your patience.
     
  10. Devil's Advocate

    Devil's Advocate Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    549
    Are you sure you implemented it correctly? The process is somewhat complicated so it is possible you missed a step.

    Your question about Shieldsup defeating proxies is not a new one, and Paranoid2000's answer is pretty much a tried and tested answer.

    I have no problems preventings Shields Up from getting my real ip, via Proxomitron + SSL.

    You can pretty much ignore Climenole's post, he misunderstood your question.

    Other ip checking sites do not try to use SSL to bypass your proxy.
     
  11. Climenole

    Climenole Look 'n' Stop Expert

    Joined:
    Jun 3, 2005
    Posts:
    1,640
    Hi Liquidslam :)

    1- climenole: read the Travels of Gulliver by Jonathan Swift...

    2- To keep things simple:

    If the Ip checked at Shields Up was your IP it's because somethings is wrong in your configuration... Tor hide your IP (like a "classic" proxy).

    This is easy to verify.
    Ckeck your IP there:http://www.ippages.com/whatsnew/#tor_detection_xml
    or
    there: http://gemal.dk/browserspy/
    Then check it at grc.com... It must be the same IP address ...

    If Tor and all your stuff is correctly configured the address will be the IP address of the Tor exit node your using at this moment...

    (And for Devil's Advocate : PERIOD.)

    Yes. Simple like that.

    I agree.

    If all the other setup are corrects the last suspect is the router.
    You're absolutly right...

    I suggest you to check your Router/Modem/Firewall without Tor to see
    what's happen ...

    At Shields Up but also at PC Flank:
    http://www.pcflank.com/
    Stealth Test
    Advanced port scanner
    Exploits tests

    and check also the incomming and outgoing packets with Ethereal or Packetyzer : http://www.networkchemistry.com/products/packetyzer.php

    Hope this help.
    Let us know.

    :)
     
  12. Liquidslam

    Liquidslam Registered Member

    Joined:
    Apr 1, 2005
    Posts:
    15
    Thank you Devil's Advocate.
    Paranoid2000's answer was one of the few things about this problem which I didn't find complicated. I just followed his link to the Proxo site, downloaded the OpenSSl DLLs zip, opened it and copied the three dll's into the Proxo directory. Then I checked the use SSLeay box and saved the config. I noticed that if you don't install the dll's properly Proxo won't allow you to check the useSSLea box. This happened the first time when I neglected to include the msvcr70 (microsoft)dll the first time. If I left out anything please let me know as this is really starting to bug me.

    Tried your suggestions Climenole, all except the last two as I first need to learn how to read packet analyzers. Unfortunately they only confirmed what I already knew. But I'll start trying other options. Will let you know how it goes.
    I did read Gulliver's Travelers, years ago. Great book, just forgot some of the details.
     
  13. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    if you use firefox try telling it to use this -
    socks host 127.0.0.1 port 9050

    sorry if i've gone off on a tangent, i haven't read the whole thread properly :rolleyes:
     
  14. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Apologies for the delayed response...
    One consequence of doing this is that you should receive warnings from your browser about a certificate mismatch when connecting to an https: site (since it will see Proxomitron's certificate rather than the site's - Proxomitron itself should verify the site certificate). If you are not seeing this, then you may not have everything set up properly - checking Proxomitron's logs may provide further information.

    Aside from that, check that you have Java/Javascript/ActiveX filtered by default (in Proxomitron - don't rely on other filters to handle this) since this is the only other plausible method for a site to identify your real IP address.
     
    Last edited: Nov 16, 2006
Loading...
Thread Status:
Not open for further replies.